Professional Documents
Culture Documents
INTERNAL AUDIT
CONTRIBUTION TO EFFICIENT RISK MANAGEMENT
INTRODUCTION
RAPID changes in information technology and managerial practices in many
organizations were forcing efficient risk management as a vital mean for
reducing the total business risk. Management uses risk assessment as part of
the process of ensuring the success of the entity. In this process, internal audit
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
2 JOURNAL OF BUSINESS MANAGEMENT
• Audit risk is the risk where exists the probability to do not evaluate
and contribute to the improvement of risk management, control and
governance or do not recognize the assurance and consulting role of
internal auditing in corporate governance and simultaneously in risk
assessment. This includes
• Inherent Risk
• Control Risk
• Detection Risk
• Information risk is the risk that unreliable information will be
provided to decision makers (Arens and Loebbecke, 1991).
General
When conducting audits, the department’s basic scope is to assess the quality
of management’s risk management practices within specific operational
processes and to provide assurance to the Board of Directors and group
management. The auditors devote most of their attention to processes with
the highest risk exposures usually the primary activities in the value chain—
to ensure maximum added value.
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
8 JOURNAL OF BUSINESS MANAGEMENT
Inherent Risk
Inherent risk is a risk that is intrinsic to the business. The risk of such
misstatements is greater for some assertions and balances than for others (Sawyer,
2003). The auditor assesses inherent risk without taking into account the control
structure (Gill et al., 2001; Gray and Manson, 2000; Taylor and Glezen, 1991).
This means that inherent risk is assessed without taking into account controls
which may be in place to prevent non-compliance, inefficient and ineffective
operations or material misstatements (Colbert and Alderman, 1995).
The auditor uses his professional judgment and takes into account many
factors when assessing inherent risk (Colbert and Alderman, 1995). The auditor
is able to assess some of the inherent risk by considering the organization as a
whole, because some risks are created by the entity’s culture and management
style. Every organization is subject to its own inherent risks and the internal
auditor should catalogue them for use in risk assessment. When the auditor
assesses the inherent risk, he must establish the obstacles that will prevent
from the bad implications resulting from those risks. This consideration deals
with the control risk.
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
INTERNAL AUDIT CONTRIBUTION TO EFFICIENT RISK MANAGEMENT 9
Control Risk
Control risk is the risk that non-compliance, inefficient or ineffective operations,
are not prevented or detected by an entity’s internal control structure, procedures
or policies (Sawyer, 2003). The internal auditor first deal with the control structure
and then control risk is assessed. Some control risks will always exist due to
inherent limitations of any internal control structure. In other words, since there
is no way, risk to be zero, there will be some risks even after the best controls
have been installed. That degree of risk is control risk.
If the auditor assesses control risk at its maximum level tests of controls
need not be performed. However, if control risk is assessed at a level
below the maximum, the auditor identifies policies and procedures that
are relevant to the engagement. Then the internal auditor performs
tests of controls to support the lower level of control risk (Colbert and
Alderman, 1995).
Detection Risk
Detection risk is the risk that the internal auditor does not detect material
misstatements, instances of non-compliance, or inefficient or ineffective
operations. That is, assuming non-compliance occurs, operations are inefficient
or ineffective, or a misstatement enters the system, and the control structure
does not prevent or locate the situation, there is a risk that the problem
may remain because the auditor does not detect the problem (Colbert and
Alderman, 1995).
When audit risk has been established and inherent risk and control risk
have been assessed, the internal auditor solves the audit-risk equation for
detection risk.
Therefore the equation becomes: DR = AR/IR × CR.
An auditor would select those audit procedures that in his crisis would
reduce detection risk below the planned detection risk. This emphasizes the
concept that inherent and control risk exist independent of the audit. Based
on the planned level of detection risk, the auditor adjusts the nature, timing,
and extent of substantive testing. On the one hand, if planned detection risk is
low-thus, the internal auditor must plan substantive tests to achieve high
confidence-the internal auditor adjusts the nature, timing, and extent of
substantive procedures in response to the planned level of detection risk. The
auditor may plan substantive tests which provide more reliable evidence or
test more items. On the other hand, as planned detection risk rises, which
means that the internal auditor receives the required confidence from
substantive procedures, he has the ability to reduce them.
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
10 JOURNAL OF BUSINESS MANAGEMENT
Table 1
Different Levels of Risk
Cycle A. e.g Sales B. e.g. C.e.g. Order
Production Cycle Cycle
Auditor assessment for We expect many We expect few We expect few
the probability to have misstatements misstatements misstatements
misstatements without
considering the internal
control system
(inherent risk) (High) (Low) (Low)
Auditor assessment for High High Medium
the efficiency of internal efficiency of efficiency of efficiency of
control system to prevent internal internal internal
the misstatements control system controlsystem controlsystem
(control risk) (Low) (Low) (Medium)
Quantity of evidence that Medium Low Medium
the auditor aims to collect
(detection risk) (Medium) (High) (Medium)
CONCLUSIONS
The last few decades have been characterized by unparalleled change.
Nowadays, researchers pay more attention to risk management due to its great
importance for the world economy. Simultaneously, all auditing information
is established as an essential mean for the exact management of any business
economic resources. In today’s highly competitive business environment,
internal audit plays a catalytic role (Papastathis, 2003; Papadatou, 2005). As
Power (2004) states: “internal control is an unshakeable part of the moral
economy of organizations”.
Nowadays, it is a fact that, internal audit has experienced a very hard
period but made great progress. During the twenty-first century, internal audit
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
INTERNAL AUDIT CONTRIBUTION TO EFFICIENT RISK MANAGEMENT 11
will see its great improvement in many business fields such as risk assessment.
History will witness that we will be able to grasp the current favourable
opportunity, overcome all difficulties and make new achievements in internal
auditing. Internal audit will surely have bright future prospects in business
success and especially in efficient risk management.
Last, a possible limitation of the research results is that little work has
been undertaken concerning the collaboration between internal audit and risk
management in an international context. Thus a suggestion for future research
would be to examine the possible applications of internal control system in
risk assessment for a longer period with even more studies in a worldwide
perception. Another promising research initiative would be to further explore
how a risk management system based on the internal control system might be
best operationalised to business entity. In this concept, researchers should
examine an ex post review to ensure that the risk assessment model that is
being used reflects the actual risks faced by an organization. Significant
differences should be investigated and the risk assessment model revised to
include missing variables.
References
Arens, A. and Loebbecke, J. (1991), “Auditing An Integrated Approach”, 5th edition,
Prentice-Hall International Editions, pp. 10.
Bekiaris, M. (2003), “Internal Audit”, University of Aegean, Chios.
Bell, T., Marrs, F., Solomon, I., and Thomas, H. (1997), “Auditing Organisations Through a
Strategic-systems Lens - The KPMG Business Measurement Process”, KPMG Peat Marwick
LLP.
Beumer, H. (2006), “A Risk–oriented Approach”, Internal Auditor, pp. 72-76.
Bou-Raad, G. (2000), “Internal Auditors and a Value-added Approach: The New Business
Regime”, Managerial Auditing Journal, 15(4), pp. 182-6.
Cai, C. (1997), “On the Functions and Objectives of Internal Audit and their Underlying
Conditions”, Managerial Auditing Journal, 12(4), pp. 247-250.
Canadian Institute of Chartered Accountants (CICA) (1995), “Guidance on Control”, CICA,
Toronto.
Carmichael, D. R., Willingham, J. J. and Schaller C. A. (1996), “Auditing Concepts and Methods.
A Guide to Current Theory and Practice”, 6th edition, McGraw-Hill ed., pp. 25.
Chambers, A. D. (2000), “Internal Audit and Risk Management: Impact on Internal Audit–
development or Revolution?”, Internal Control, (32), pp. 3-7.
Crawford, M. and Stein, W. (2002), “Auditing Risk Management: Fine in Theory but who
can do it in Practice?”, International Journal of Auditing, 6, pp. 119-131.
Colbert, L. Janet and Alderman, C. W. (1995), “A risk-driven Approach to the Internal
Audit”, Managerial Auditing Journal, 10(2), pp. 38-44.
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
12 JOURNAL OF BUSINESS MANAGEMENT
Olsson, C. (2002), “Risk Management in Emerging Markets. How to Survive and Prosper”,
Pearson Education-Prentice Hall Inc., New Jersey, US.
Papadatou, Th. (2005), “Internal and External Control of Joint Stock Companies”, Sakoulas
ed., Greece.
Papas, A. (1999), “Introduction in Auditing”, Benos ed., Athens, pp. 109-110.
Papastathis, P. (2003), “The Modern Internal Control in Businesses and its Applications in them”,
OPAP ed., Greece.
Pazarskis, M., Eleftheriadis, I., Drogalas, G. and Christodoulou, P. (2007), “A Note on
Evaluation of Merger Waves Diachronically and a Proposition for Business Risk
Reduction in the New Era”, 2007 Management of International Business & Economic
Systems (MIBES) Conference, Dept. of Business Administration of the TEI of Larissa,
Larissa, Greece, Conference Proceedings.
Power, M. (2004), “The Nature of Risk: The Risk Management of Everything”, Balance Sheet,
12(5), pp. 19-28.
Rezaee, Z. (1995), “What the COSO Report Means for Internal Auditors”, Managerial
Auditing Journal, 10(6), pp. 5-9.
Sarens, G. and De Beelde, I. (2006), “Internal Auditors’ Perception about their Role in Risk
Management. A Comparison between US and Belgian Companies”, Managerial
Auditing Journal, Emerald Group Publishing Limited, 21(1), pp. 63-80.
Sawyer, B. L. (2003), “Sawyer’s Internal Auditing. The Practise of Modern Internal Auditing”,
The Institute of Internal Auditors, 5th ed., pp. 120-121.
Selim, G. and McNamee, D. (1999a), “Risk Management and Internal Auditing: What are
the Essential Building Blocks for a Successful Paradigm Change”, International Journal
of Auditing, 3(2), pp. 147-155.
Selim, G. and McNamee, D. (1999b), “Risk Management and Internal Auditing Relationship:
Developing and Validating a Model”, International Journal of Auditing, 3(3), pp. 159-
174.
Spira F.L., and Page, M. (2003), “Risk Management: The Reinvention of Internal Control
and the Changing Role of Internal Audit,” Accounting, Auditing & Accountability
Journal, 16(4), pp. 640-661.
Taylor, D. H. and Glezen, W. G. (1991), “Auditing: Integrated Concepts and Procedures”, 5th
ed., John Wiley & Sons Inc, U.S., 5, pp. 29.
The Institute of Chartered Accountants in England and Wales (1999), “Internal Control:
Guidance for Directors on the Combined Code (The Turnbull Report)” available at:
www.frc.org.uk/corporate/ internalcontrol.cfm .
The Institute of Internal Auditors-UK (1991), “Standards and Guidelines for the Professional
Practice of Internal Auditing”, IIA-UK ed. (Statement of Responsibilities).
The Institute of Internal Auditors (1999), “Definition of Internal Auditing”, The Institute of
Internal Auditors, Altamonte Springs, FL.
The Institute of Internal Auditors (2000), “Internal Auditing: Adding Value Across the Board,
IIA, Corporate Brochure.
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings
14 JOURNAL OF BUSINESS MANAGEMENT
The Institute of Internal Auditors (2004), “International Standards for the Professional Practice
of Internal Auditing,” available at: www.theiia.org/?doc_id=1499.
Wang, X. (1997), “Development Trends and Future Prospects of Internal Audit”, Managerial
Auditing Journal, 12(4/5), pp. 200-204.
Williams, P. (1995), “A Regulation Evaluation System: A Decision Support System for the Building
Code of Australia”, Construction Management and Economics, 13, pp. 197-208.
IJEB International Conference on Economic and Business Issues, New Delhi, India, 2009
Chair: Kishore G. Kulkarni & Bansi Shawhny – Co-Chair of the Conference: Dr. Michail Pazarskis
Reprinted Paper from Conference Proceedings